HIPAA Privacy Rule Guidance Issued Regarding COVID-19 Vaccines

Hodgson Russ Employee Benefits Newsletter

A list of frequently asked questions (FAQs) recently published by the Department of Health and Human Services addresses the application of HIPAA’s privacy rule to workplace COVID-19 disclosures.  HIPAA’s privacy rule generally prohibits a covered entity (i.e., health plans, health care clearinghouses, and health care providers) or business associate from disclosing protected health information without proper authorization.  Although a healthcare provider is generally prohibited from disclosing an individual’s vaccination status to an employer without proper authorization, the FAQs identify a number of situations where HIPAA’s privacy rule does not prohibit disclosure about an individual’s COVID-19 vaccination status.  For example, HIPAA’s privacy rule does not prohibit:

  • A business from asking customers if they have been vaccinated.
  • An employer from requiring its employees to disclose if they have been vaccinated.
  • An individual asking a company whether its workforce has been vaccinated.
  • An individual from disclosing their vaccination status to an employer or business.

HIPAA is often cited as a reason why health information such as an individual’s COVID-19 vaccination status may not be shared.  However, as illustrated in these FAQs, HIPAA’s privacy rules are generally limited to certain types of disclosures by certain types of entities.  (FAQs HIPAA, COVID-19 Vaccination, and the Workplace - September 30, 2021.)

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.